scp suite-b
Use scp suite-b to establish a connection to an SCP server based on Suite B algorithms and transfer files with the server.
Syntax
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip ip-address } ] * [ user username [ password password ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
get: Downloads the file.
put: Uploads the file.
source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters.
destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 60.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies compression algorithm zlib.
source: Specifies a source IP address or source interface for SCP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SCP packets. As a best practice to ensure successful SCP connections, specify a loopback interface as the source interface or specify the IPv4 address of the interface as the source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv4 address of this interface is the source IPv4 address of the SCP packets.
ip ip-address: Specifies a source IPv4 address.
user username: Specifies an SCP username, a case-sensitive string of 1 to 80 characters. If the username contains an ISP domain name, use the pureusername@domain, pureusername/domain, or domain\pureusername format.
password password: Specifies a password in plaintext form, a case-sensitive string of 1 to 63 characters.
Usage guidelines
Table 60: Suite B algorithms
Security level | Key exchange algorithm | Encryption algorithm and HMAC algorithm | Public key algorithm |
|---|---|---|---|
128-bit | ecdh-sha2-nistp256 | AES128-GCM | x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
192-bit | ecdh-sha2-nistp384 | AES256-GCM | x509v3-ecdsa-sha2-nistp384 |
Both | ecdh-sha2-nistp256 ecdh-sha2-nistp384 | AES128-GCM AES256-GCM | x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
If you do not specify a username and password in the command, you must provide the username and password in an interactive way.
If the SCP server uses publickey authentication, the password specified by this command is ignored.
Examples
# Use the 128-bit Suite B algorithms to establish a connection to SCP server 200.1.1.1 and download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> scp 200.1.1.1 get abc.txt suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username: